background image

SSL handshake

<< Enabling Mutual Authentication over SSL | Further Information about Security >>
<< Enabling Mutual Authentication over SSL | Further Information about Security >>

SSL handshake

enter a URL that points to the same location (for example,
https://duke:8181/mutualauth/hello
). This is necessary because during SSL handshake, the
server verifies the client certificate by comparing the certificate name and the host name from
which it originates.
To create a keystore named client_keystore.jks that contains a client certificate named
client.cer
, follow these steps:
1. Create a backup copy of the server truststore file. To do this,
a. Change to the directory containing the server's keystore and truststore files,
as-install\domains\domain1\config.
b. Copy cacerts.jks to cacerts.backup.jks.
c. Copy keystore.jks to keystore.backup.jks.
Do not put client certificates in the cacerts.jks file. Any certificate you add to the
cacerts
file effectively means it can be a trusted root for any and all certificate chains.
After you have completed development, delete the development version of the cacerts
file and replace it with the original copy.
2. Generate the client certificate. Enter the following command from the directory where you
want to generate the client certificate:
java-home\bin\keytool -genkey -alias client-alias -keyalg RSA -keypass changeit
-storepass changeit -keystore client_keystore.jks
3. Export the generated client certificate into the file client.cer.
java-home\bin\keytool -export -alias client-alias -storepass changeit
-file client.cer -keystore client_keystore.jks
4. Add the certificate to the truststore file domain-dir/config/cacerts.jks. Run keytool
from the directory where you created the keystore and client certificate. Use the following
parameters:
java-home\bin\keytool -import -v -trustcacerts -alias client-alias
-file client.cer -keystore
domain-dir/config/cacerts.jks -keypass changeit
-storepass changeit
The keytool utility returns a message like this one:
Owner: CN=localhost, OU=Java EE, O=Sun, L=Santa Clara, ST=CA, C=US
Issuer: CN=localhost, OU=Java EE, O=Sun, L=Santa Clara, ST=CA, C=US
Serial number: 3e39e66a
Valid from: Thu Jan 30 18:58:50 PST 2005 until: Wed Apr 3019:58:50 PDT 2005
Certificate fingerprints:
MD5: 5A:B0:4C:88:4E:F8:EF:E9:E5:8B:53:BD:D0:AA:8E:5A
SHA1:90:00:36:5B:E0:A7:A2:BD:67:DB:EA:37:B9:61:3E:26:B3:89:46:32
Trust this certificate? [no]: yes
Certificate was added to keystore
Establishing a Secure Connection Using SSL
The Java EE 5 Tutorial · September 2007
794